Documentation
¶
Index ¶
Constants ¶
const ( // ClockSkewTolerance is the time window for certificate expiry validation. // Subtract from NotBefore check, add to NotAfter check (REQ-011). ClockSkewTolerance = 5 * time.Minute )
const ( // DebounceInterval is the wait time after file events stop before triggering reload. // Multiple rapid file events (e.g., during atomic writes) are coalesced into a single reload. DebounceInterval = 500 * time.Millisecond )
Variables ¶
This section is empty.
Functions ¶
func CalculateFingerprint ¶
func CalculateFingerprint(cert *x509.Certificate) string
CalculateFingerprint calculates the SHA-256 fingerprint of a certificate. The fingerprint is calculated from cert.Raw (complete ASN.1 DER content) to ensure deterministic results.
Returns hex-encoded SHA-256 hash (64 characters). Useful for operational logging and verification of certificate identity.
func ValidateCertificate ¶
func ValidateCertificate(cert *tls.Certificate) error
ValidateCertificate is a standalone validation function that checks a certificate for expiry with clock skew tolerance. This can be used independently of CertificateLoader. Useful for pre-swap validation during certificate hot-reload.
Types ¶
type CertWatcher ¶
type CertWatcher struct {
// contains filtered or unexported fields
}
CertWatcher watches a certificate directory for file changes and triggers reload callbacks. Implements debouncing to handle multiple file events during atomic writes. Watches the directory (not individual files) to handle editors that use temp file + rename.
func NewCertWatcher ¶
func NewCertWatcher(certDir string, certFiles []string, onReload func(string), logger logr.Logger) *CertWatcher
NewCertWatcher creates a certificate watcher for the specified directory and files. Parameters:
- certDir: Directory containing certificate files (e.g., "/var/lib/neuwerk/certs")
- certFiles: List of certificate file paths to watch (can be full paths, will extract basename)
- onReload: Callback function triggered when a watched file changes (receives full path)
- logger: Logger for debugging file events
Example:
watcher := NewCertWatcher("/var/lib/neuwerk/certs",
[]string{"/var/lib/neuwerk/certs/nats-server.crt", "/var/lib/neuwerk/certs/nats-server.key"},
func(path string) { reloadCertificate(path) },
logger)
func (*CertWatcher) Start ¶
func (cw *CertWatcher) Start(ctx context.Context) error
Start begins watching the certificate directory for changes. Blocks until context is cancelled. Should be run in a goroutine. Returns context.Canceled when stopped gracefully, or error if watcher setup fails.
File watching strategy: - Watches the directory, not individual files (handles atomic writes via temp + rename) - Filters events to only watched certificate files - Ignores Chmod events (system tools generate many spurious events) - Debounces rapid events (500ms window after last event before callback)
type CertificateLoader ¶
type CertificateLoader struct {
// contains filtered or unexported fields
}
CertificateLoader loads and validates TLS certificates from filesystem. It provides clock skew tolerance for expiry validation and optional chain verification.
func NewCertificateLoader ¶
func NewCertificateLoader(certFile, keyFile, caFile string, logger logr.Logger) *CertificateLoader
NewCertificateLoader creates a certificate loader for the specified files. caFile is optional (empty string to skip chain validation).
func (*CertificateLoader) Load ¶
func (cl *CertificateLoader) Load() (*tls.Certificate, error)
Load reads and validates the certificate from filesystem. Returns the loaded tls.Certificate if successful. Validation includes expiry checks with clock skew tolerance and optional chain verification.
Source Files